CVE-2022-50917 Overview
CVE-2022-50917 is an unquoted service path vulnerability affecting ProtonVPN version 1.26.0. The vulnerability exists in the WireGuard service configuration component, where an improper service path configuration allows local attackers to potentially execute arbitrary code with elevated privileges. This vulnerability type (CWE-428) occurs when Windows services are configured with executable paths containing spaces that are not enclosed in quotation marks, enabling attackers to place malicious executables in strategic file system locations.
Critical Impact
Local privilege escalation through service path hijacking allows attackers with low-privilege access to gain SYSTEM-level code execution during service startup or restart operations.
Affected Products
- ProtonVPN version 1.26.0
- ProtonVPN WireGuard Service Component
- Windows installations with default service configurations
Discovery Timeline
- 2026-01-13 - CVE CVE-2022-50917 published to NVD
- 2026-01-13 - Last updated in NVD database
Technical Details for CVE-2022-50917
Vulnerability Analysis
The unquoted service path vulnerability in ProtonVPN 1.26.0 stems from improper configuration of the WireGuard service executable path in the Windows Service Control Manager. When a service path contains spaces and is not properly quoted, Windows parses the path in a specific order, attempting to execute files at each space boundary before the full intended path.
For example, if the service path is configured as C:\Program Files\ProtonVPN\WireGuard\Service.exe, Windows will attempt to execute in this order:
- C:\Program.exe
- C:\Program Files\ProtonVPN\WireGuard\Service.exe
This parsing behavior creates an opportunity for attackers to plant malicious executables at predictable locations in the file system. Since Windows services typically run with SYSTEM privileges, successful exploitation grants the attacker the highest level of system access.
Root Cause
The root cause of CVE-2022-50917 is the failure to enclose the WireGuard service executable path in double quotation marks during service registration. This configuration oversight in ProtonVPN 1.26.0's installer or service registration routine leaves the service path vulnerable to path interception attacks. The CWE-428 (Unquoted Search Path or Element) classification highlights the fundamental issue: software that uses unquoted paths containing spaces creates exploitable conditions in the Windows service execution model.
Attack Vector
The attack vector for this vulnerability is local, requiring the attacker to have low-privilege access to the target system. The exploitation process involves:
- Reconnaissance: The attacker identifies the unquoted service path by querying the Windows Service Control Manager or registry
- Payload Placement: A malicious executable is placed in a location that Windows will attempt to execute before the legitimate service binary (e.g., C:\Program.exe or a location within C:\Program Files\ directory structure)
- Privilege Escalation: When the ProtonVPN WireGuard service starts or restarts, Windows executes the malicious payload with SYSTEM privileges
The attacker requires write access to one of the candidate directories in the path parsing sequence. While C:\Program Files\ is typically protected, misconfigurations or writable parent directories can enable this attack.
Detection Methods for CVE-2022-50917
Indicators of Compromise
- Unexpected executable files in the root of C:\ drive (e.g., Program.exe, ProtonVPN.exe)
- Unauthorized executables in C:\Program Files\ or C:\Program Files\ProtonVPN\ directories
- Anomalous service startup behavior or unexpected child processes spawned by the WireGuard service
- Registry modifications to the ProtonVPN WireGuard service ImagePath value
Detection Strategies
- Monitor Windows Event Logs for service control events (Event IDs 7034, 7035, 7036) related to ProtonVPN services
- Implement file integrity monitoring on directories within the ProtonVPN service path
- Query Windows services for unquoted paths using PowerShell: Get-WmiObject win32_service | Where-Object {$_.PathName -notlike '"*"' -and $_.PathName -like '* *'}
- Deploy endpoint detection rules to alert on executable creation in unexpected locations along the service path
Monitoring Recommendations
- Enable SentinelOne's behavioral AI to detect privilege escalation attempts through service path hijacking
- Configure alerts for new executable file creation in C:\Program Files\ProtonVPN\ and parent directories
- Monitor process creation events where parent process is the WireGuard service and child process is unexpected
- Implement regular auditing of Windows service configurations to identify unquoted paths
How to Mitigate CVE-2022-50917
Immediate Actions Required
- Audit the ProtonVPN WireGuard service path configuration to confirm vulnerability status
- Update ProtonVPN to the latest available version that addresses this vulnerability
- Manually correct the service path by adding quotation marks around the ImagePath registry value
- Restrict write permissions on directories within the vulnerable service path to prevent payload placement
Patch Information
Users should update ProtonVPN to a version newer than 1.26.0 that properly quotes the WireGuard service path. Visit the ProtonVPN Official Site for the latest security updates and release notes. Additional technical details and exploit information can be found at Exploit-DB #50837 and the VulnCheck Advisory for ProtonVPN.
Workarounds
- Manually fix the service path by modifying the registry ImagePath value to include quotation marks
- Implement application whitelisting to prevent unauthorized executable execution
- Remove write permissions from all users on directories within the service path hierarchy
- Monitor and alert on any executable creation in vulnerable path locations until patching is complete
# Registry fix to quote the service path (run as Administrator)
# First, query the current service path
sc qc "ProtonVPN WireGuard"
# Modify the registry to add quotation marks
# HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[ServiceName]\ImagePath
# Change: C:\Program Files\ProtonVPN\WireGuard\Service.exe
# To: "C:\Program Files\ProtonVPN\WireGuard\Service.exe"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
